Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.
The bug (CWE-122, CWE-787) manifests when using the %mc format specifier (malloc'd character match) in combination with a field width (width specifier) value greater than 1024. In such a situation, the scanf family function incorrectly calculates the size of the allocated heap buffer, resulting in writing one byte beyond its boundary (off-by-one heap buffer overflow). Incorrect write to the heap can lead to corruption of memory management structures.
An attacker can cause arbitrary code execution (RCE), violation of data confidentiality and integrity, or service unavailability. Network vector without authentication requirements and user interaction (AV:N/AC:L/PR:N/UI:N) significantly increases the risk of exploitation.
Update glibc to a version that does not contain the vulnerability according to information published by the vendor (announcement available at the address indicated in the references). Until the update is applied, it is recommended to avoid processing untrusted input data through scanf family functions using the %mc specifier with field width exceeding 1024.
GNU C Library (glibc) in versions from 2.7 to 2.43 inclusive — affects Linux systems and other environments using glibc within this version range.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGnu Glibc
APPGnu2.7 – 2.43
Related vulnerabilities
sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with ...
The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) throug...
The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) thr...
The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse...
The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may us...